/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/builtin/enc_provider/camellia.c - Camellia enc provider */
/*
* Copyright (C) 2009, 2010 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*/
#include "crypto_int.h"
#include "camellia.h"
/*
* Private per-key data to cache after first generation. We don't want to mess
* with the imported Camellia implementation too much, so we'll just use two
* copies of its context, one for encryption and one for decryption, and use
* the keybitlen field as a flag for whether we've initialized each half.
*/
struct camellia_key_info_cache {
camellia_ctx enc_ctx, dec_ctx;
};
#define CACHE(X) ((struct camellia_key_info_cache *)((X)->cache))
/* out = out ^ in */
static inline void
xorblock(const unsigned char *in, unsigned char *out)
{
size_t q;
for (q = 0; q < BLOCK_SIZE; q += 4)
store_32_n(load_32_n(out + q) ^ load_32_n(in + q), out + q);
}
static inline krb5_error_code
init_key_cache(krb5_key key)
{
if (key->cache != NULL)
return 0;
key->cache = malloc(sizeof(struct camellia_key_info_cache));
if (key->cache == NULL)
return ENOMEM;
CACHE(key)->enc_ctx.keybitlen = CACHE(key)->dec_ctx.keybitlen = 0;
return 0;
}
static inline void
expand_enc_key(krb5_key key)
{
if (CACHE(key)->enc_ctx.keybitlen)
return;
if (camellia_enc_key(key->keyblock.contents, key->keyblock.length,
&CACHE(key)->enc_ctx) != camellia_good)
abort();
}
static inline void
expand_dec_key(krb5_key key)
{
if (CACHE(key)->dec_ctx.keybitlen)
return;
if (camellia_dec_key(key->keyblock.contents, key->keyblock.length,
&CACHE(key)->dec_ctx) != camellia_good)
abort();
}
/* CBC encrypt nblocks blocks of data in place, using and updating iv. */
static inline void
cbc_enc(krb5_key key, unsigned char *data, size_t nblocks, unsigned char *iv)
{
for (; nblocks > 0; nblocks--, data += BLOCK_SIZE) {
xorblock(iv, data);
if (camellia_enc_blk(data, data, &CACHE(key)->enc_ctx) !=
camellia_good)
abort();
memcpy(iv, data, BLOCK_SIZE);
}
}
/* CBC decrypt nblocks blocks of data in place, using and updating iv. */
static inline void
cbc_dec(krb5_key key, unsigned char *data, size_t nblocks, unsigned char *iv)
{
unsigned char last_cipherblock[BLOCK_SIZE];
assert(nblocks > 0);
data += (nblocks - 1) * BLOCK_SIZE;
memcpy(last_cipherblock, data, BLOCK_SIZE);
for (; nblocks > 0; nblocks--, data -= BLOCK_SIZE) {
if (camellia_dec_blk(data, data, &CACHE(key)->dec_ctx) !=
camellia_good)
abort();
xorblock(nblocks == 1 ? iv : data - BLOCK_SIZE, data);
}
memcpy(iv, last_cipherblock, BLOCK_SIZE);
}
static krb5_error_code
krb5int_camellia_encrypt(krb5_key key, const krb5_data *ivec,
krb5_crypto_iov *data, size_t num_data)
{
unsigned char iv[BLOCK_SIZE], block[BLOCK_SIZE];
unsigned char blockN2[BLOCK_SIZE], blockN1[BLOCK_SIZE];
size_t input_length, nblocks, ncontig;
struct iov_cursor cursor;
if (init_key_cache(key))
return ENOMEM;
expand_enc_key(key);
k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE);
input_length = iov_total_length(data, num_data, FALSE);
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
if (nblocks == 1) {
k5_iov_cursor_get(&cursor, block);
memset(iv, 0, BLOCK_SIZE);
cbc_enc(key, block, 1, iv);
k5_iov_cursor_put(&cursor, block);
return 0;
}
if (ivec != NULL)
memcpy(iv, ivec->data, BLOCK_SIZE);
else
memset(iv, 0, BLOCK_SIZE);
while (nblocks > 2) {
ncontig = iov_cursor_contig_blocks(&cursor);
if (ncontig > 0) {
/* Encrypt a series of contiguous blocks in place if we can, but
* don't touch the last two blocks. */
ncontig = (ncontig > nblocks - 2) ? nblocks - 2 : ncontig;
cbc_enc(key, iov_cursor_ptr(&cursor), ncontig, iv);
iov_cursor_advance(&cursor, ncontig);
nblocks -= ncontig;
} else {
k5_iov_cursor_get(&cursor, block);
cbc_enc(key, block, 1, iv);
k5_iov_cursor_put(&cursor, block);
nblocks--;
}
}
/* Encrypt the last two blocks and put them back in reverse order, possibly
* truncating the encrypted second-to-last block. */
k5_iov_cursor_get(&cursor, blockN2);
k5_iov_cursor_get(&cursor, blockN1);
cbc_enc(key, blockN2, 1, iv);
cbc_enc(key, blockN1, 1, iv);
k5_iov_cursor_put(&cursor, blockN1);
k5_iov_cursor_put(&cursor, blockN2);
if (ivec != NULL)
memcpy(ivec->data, iv, BLOCK_SIZE);
return 0;
}
static krb5_error_code
krb5int_camellia_decrypt(krb5_key key, const krb5_data *ivec,
krb5_crypto_iov *data, size_t num_data)
{
unsigned char iv[BLOCK_SIZE], dummy_iv[BLOCK_SIZE], block[BLOCK_SIZE];
unsigned char blockN2[BLOCK_SIZE], blockN1[BLOCK_SIZE];
size_t input_length, last_len, nblocks, ncontig;
struct iov_cursor cursor;
if (init_key_cache(key))
return ENOMEM;
expand_dec_key(key);
k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE);
input_length = iov_total_length(data, num_data, FALSE);
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
last_len = input_length - (nblocks - 1) * BLOCK_SIZE;
if (nblocks == 1) {
k5_iov_cursor_get(&cursor, block);
memset(iv, 0, BLOCK_SIZE);
cbc_dec(key, block, 1, iv);
k5_iov_cursor_put(&cursor, block);
return 0;
}
if (ivec != NULL)
memcpy(iv, ivec->data, BLOCK_SIZE);
else
memset(iv, 0, BLOCK_SIZE);
while (nblocks > 2) {
ncontig = iov_cursor_contig_blocks(&cursor);
if (ncontig > 0) {
/* Encrypt a series of contiguous blocks in place if we can, but
* don't touch the last two blocks. */
ncontig = (ncontig > nblocks - 2) ? nblocks - 2 : ncontig;
cbc_dec(key, iov_cursor_ptr(&cursor), ncontig, iv);
iov_cursor_advance(&cursor, ncontig);
nblocks -= ncontig;
} else {
k5_iov_cursor_get(&cursor, block);
cbc_dec(key, block, 1, iv);
k5_iov_cursor_put(&cursor, block);
nblocks--;
}
}
/* Get the last two ciphertext blocks. Save the first as the new iv. */
k5_iov_cursor_get(&cursor, blockN2);
k5_iov_cursor_get(&cursor, blockN1);
if (ivec != NULL)
memcpy(ivec->data, blockN2, BLOCK_SIZE);
/* Decrypt the second-to-last ciphertext block, using the final ciphertext
* block as the CBC IV. This produces the final plaintext block. */
memcpy(dummy_iv, blockN1, sizeof(dummy_iv));
cbc_dec(key, blockN2, 1, dummy_iv);
/* Use the final bits of the decrypted plaintext to pad the last ciphertext
* block, and decrypt it to produce the second-to-last plaintext block. */
memcpy(blockN1 + last_len, blockN2 + last_len, BLOCK_SIZE - last_len);
cbc_dec(key, blockN1, 1, iv);
/* Put the last two plaintext blocks back into the iovec. */
k5_iov_cursor_put(&cursor, blockN1);
k5_iov_cursor_put(&cursor, blockN2);
return 0;
}
krb5_error_code
krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
size_t num_data, const krb5_data *ivec,
krb5_data *output)
{
unsigned char iv[BLOCK_SIZE], block[BLOCK_SIZE];
struct iov_cursor cursor;
if (output->length < BLOCK_SIZE)
return KRB5_BAD_MSIZE;
if (init_key_cache(key))
return ENOMEM;
expand_enc_key(key);
if (ivec != NULL)
memcpy(iv, ivec->data, BLOCK_SIZE);
else
memset(iv, 0, BLOCK_SIZE);
k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE);
while (k5_iov_cursor_get(&cursor, block))
cbc_enc(key, block, 1, iv);
output->length = BLOCK_SIZE;
memcpy(output->data, iv, BLOCK_SIZE);
return 0;
}
static krb5_error_code
camellia_init_state(const krb5_keyblock *key, krb5_keyusage usage,
krb5_data *state)
{
state->length = 16;
state->data = malloc(16);
if (state->data == NULL)
return ENOMEM;
memset(state->data, 0, state->length);
return 0;
}
static void
camellia_key_cleanup(krb5_key key)
{
zapfree(key->cache, sizeof(struct camellia_key_info_cache));
}
const struct krb5_enc_provider krb5int_enc_camellia128 = {
16,
16, 16,
krb5int_camellia_encrypt,
krb5int_camellia_decrypt,
krb5int_camellia_cbc_mac,
camellia_init_state,
krb5int_default_free_state,
camellia_key_cleanup
};
const struct krb5_enc_provider krb5int_enc_camellia256 = {
16,
32, 32,
krb5int_camellia_encrypt,
krb5int_camellia_decrypt,
krb5int_camellia_cbc_mac,
camellia_init_state,
krb5int_default_free_state,
camellia_key_cleanup
};